Skip to content

Fix OSS-Fuzz #385993744 #18972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: PHP-8.3
Choose a base branch
from
Open

Fix OSS-Fuzz #385993744 #18972

wants to merge 1 commit into from
+53 −4

Conversation

nielsdos
Copy link
Member

PSFS_FEED_ME is supposed to be returned when the filter did not receive enough data and did not generate buckets for the output brigade. The test generates buckets anyway on the output brigade, and the stream layer did not handle that case causing a memory leak. To solve this, discard any such buckets as it would conflict with the status code returned by the filter. This keeps BC and solves the leak.

@nielsdos
Fix OSS-Fuzz #385993744
b7fd0ab 
PSFS_FEED_ME is supposed to be returned when the filter did not receive
enough data and did not generate buckets for the output brigade.
The test generates buckets anyway on the output brigade, and the stream
layer did not handle that case causing a memory leak.
To solve this, discard any such buckets as it would conflict with the
status code returned by the filter. This keeps BC and solves the leak.
@nielsdos nielsdos marked this pull request as ready for review June 28, 2025 23:15
@nielsdos nielsdos requested a review from bukka as a code owner June 28, 2025 23:15
devnexen
devnexen reviewed Jun 29, 2025
View reviewed changes
main/streams/streams.c
@@ -630,6 +630,12 @@ PHPAPI zend_result _php_stream_fill_read_buffer(php_stream *stream, size_t size)
/* when a filter needs feeding, there is no brig_out to deal with.
* we simply continue the loop; if the caller needs more data,
* we will read again, otherwise out job is done here */

/* Filter could have added buckets anyway, but signalled that it did not return any. Discard them. */
while ((bucket = brig_outp->head)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just little nit: is the style difference voluntary (i.e. initialising the var in while) ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devnexen devnexen devnexen left review comments

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees
No one assigned
Labels
Extension: standard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nielsdos @devnexen